dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1265

Angralitux
join:2004-05-20
DO

Angralitux

Member

[H/W] 2504 WLC for hardening WIFI

Hello,

I'd been tasked to secure the Wireless Lan infrastructure, I plan to take on these three things:

1. Separate the wifi networks from production/users networks
2. Add some form of authentication, I'm thinking cert or just domain credentials with EAP.
3. Put the newly created network on a different Firewall segment.

I do have a clear idea of what to accomplish, but I'm considering adding a WLC, because of the growing number of AP's I have to manage (all being cisco's aironet).

1. What would be the benefit of adding a WLC, like the cisco 2504, if I can already do all of the above using existing infraestructure facilities?
2. Will this WLC work like other implementations (like fortinet), that you can have all the configurations and the AP creates a virtual tunnel btw the controller and itself? This will be usefull to have remote AP's join the controller on different sites.
3. My AP's all are running a full IOS, not the stripped down version I have seen they get when used with a WLC; will these need replacement or their OS?

Thanks,
ladino
join:2001-02-24
USA

ladino

Member

The Cisco Wireless Design Guide should point you in the right direction

»www.cisco.com/c/dam/en/u ··· PR14.pdf
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Angralitux

MVM

to Angralitux
said by Angralitux:

1. What would be the benefit of adding a WLC, like the cisco 2504, if I can already do all of the above using existing infraestructure facilities?

Two words : central management. Don't know how many APs you have in your environment
in total, but imagine having to change something like the level15 password manually across
100 APs in total, for example. Mind you, this is just an extreme example.
said by Angralitux:

2. Will this WLC work like other implementations (like fortinet), that you can have all the configurations and the AP creates a virtual tunnel btw the controller and itself? This will be usefull to have remote AP's join the controller on different sites.

IIRC, Cisco WLCs do do this... WLC in one area, WAPs in another, with a WAN circuit seperating the
two.
said by Angralitux:

3. My AP's all are running a full IOS, not the stripped down version I have seen they get when used with a WLC; will these need replacement or their OS?

Never done an implementation of lightweight APs before, but far as I know the WLC handles
that and turns the APs into a plain radio antenna.

Hope that helps.

Regards
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

said by HELLFIRE:

imagine having to change something like the level15 password manually across 100 APs in total, for example.

Been doin' that my entire professional career. (someone who can't, shouldn't be in that position) But it's nice to have something else manage it.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Once you get a rhythm going it's not so bad!

michieru
Premium Member
join:2009-07-25
Denver, CO

michieru to Angralitux

Premium Member

to Angralitux
1. Centralized management of all APs with different configuration applications applied in single or bulk cases.

1a. Provides a WIPS (Wireless Intrusion prevention system) to view AP's within the area who are trying to mimic your SSID and steal client credentials to obtain access towards the network.

1b. Reporting of current users, their usage, and network outages, RF maps, etc. (This might be an extension of the WLC and not part of the WLC itself[Cisco's way])

2. I believe it's possible to create tunnels however I never implemented such a configuration.

3. Probably don't really know the answer to this one however they would need to be in the same LAN for them to discover the controller initially.

WiFi networks are always treated as rogue networks even if they are your own and never should be with production/user networks currently anyway. Place guests on a separate VLAN from production.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer to markysharkey

Premium Member

to markysharkey
*cough*scripts*cough*
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

LOL
adawa
join:2014-05-08
Garland, TX

adawa to Angralitux

Member

to Angralitux
Helo, Angralitux. Getting a WLC would definitely help centralize management of multiple APs. How many AP are you looking to manage? You can also check on the Cisco 5500 WLC for multi-site support and scalability of your wireless network. Let me know if you have additional concerns or if you need local Cisco support. Kind regards and hope this helps!

Angralitux
join:2004-05-20
DO

Angralitux

Member

Thanks all for replies, I really appreciate the help of you guys every time me or someone else comes asking for something - I learn both ways.

I Already have most of the info, my only doubt is that if I'll be able to connect AP's across remote subnets. I cant find any info if the WLC 2504 will be able to do the "flexconnect" thing that is needed for this.
Angralitux

Angralitux to adawa

Member

to adawa
Adawa, maybe you can help me with this concern. Can't I get multi-site or remote site admin with the 2504?? must we get the 5500 WLC? what about the virtual version? I will be handling at most 20-30 AP's
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner

Premium Member

It should work across remote sites. You need a DNS server or entry at the remote site pointing cisco-lwapp-controller.yourdomain.do or cisco-capwap-controller.yourdomain.do to the IP address of your WLC.

I would check that you're not filtering lwapp or capwap traffic in between as well.

Angralitux
join:2004-05-20
DO

Angralitux

Member

thanks networkguy. I dont think our WAP's are modern enough to support CAPWAP, but this infrastructure is managed entirely by our team, so I believe this will not be an issue.
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner

Premium Member

If you're needing to centrally manage your wireless infrastructure using the 2504, your biggest, initial headache is converting your APs to lightweight. That will require touching every AP.

I'm only familiar with 1311s and 1600s and these are relatively painless to convert.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

I converted a bunch of 1142's. As long as the IOS is available via TFTP it's a single command line...